Skip to content. | Skip to navigation

Personal tools
You are here: Home Policies and Standards InfoSec Policies & Standards ISO PS016 Inventory, Tracking and Discarding of Computing Devices

ISO PS016 Inventory, Tracking and Discarding of Computing Devices

Policies and Standards
ISO PS016 Inventory, Tracking and
Discarding of Computing Devices

[Previous]  [Next]  [Policy Home]

Policy Name: Inventory, Tracking, Discarding and Redeployment of Computing Devices or Media
Policy Number: IS PS016
Effective Date:
July 23, 2007
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew Witten
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.1

 


POLICY:

All computing devices and electronic media being redeployed, surplused, discarded or otherwise removed from service or changing service facilities must, regardless of the value of the computing device or media, have all  sensitive information permanently deleted. 

 


STANDARDS:

Important Note: See related Purchasing Department Policies and Procedures Purchasing 33.00: Personal Property Inventory for details regarding the purchase, identification, inventory and surplus of equipment. These policies and standards apply to all computing device or associated electronic media, regardless of expendable classification per Purchasing Department policies and procedures.

Administrative Standards:

Computing Device or Media Redeployment

  • Any computing device being moved from one school, department, unit or other University entity to another (or between personnel with different access and need to know privileges if in the same unit) must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
  • Any electronic media being moved from one school, department, unit or other University entity to another (or between personnel with different access and need to know privileges if in the same unit) must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).

Computing Device or Electronic Media Disposal or Surplusing

  • Any computing device being discarded, donated, sent to surplus or otherwise being removed from service must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
  • Any electronic media being discarded, donated, sent to surplus or otherwise being removed from service must have all sensitive information eradicated. Physical destruction of the media is the best method of media disposal (see Technical Standards section for data eradication and destruction guidelines).

Electronic Protected Health Information (ePHI) Note:

  • For any computing device or electronic media, as described in the above situations, that contained ePHI, a record or log of disposition of the devices or media must be maintained by the responsible University entity.

Technical Standards:

Proper tools are required to eradicate sensitive information. Links to tools for total eradication of data on the device as well as specific eradication of selected data are maintained on the Information Security Office web site.

Eradication of Data

  • Total eradication of data on the computing device or electronic media is the preferred way to provide a reasonable assurance that sensitive information has been eliminated if the device or media is not to be destroyed (see physical media destruction below).

    A total eradication tool must be used if the device or media is being removed from service within the University. Selective eradication of data may be used for computing devices or electronic media being redeployed (not disposed or surplused) provided ePHI was not housed on the computing device or electronic media.

    Electronic Protected Health Information (ePHI) Note: Computing devices or electronic media which contain or contained ePHI must have the media cleansed using a total eradication method.
  • Tier One or other qualified support staff who understand how to use the tools outlined above must perform this procedure. This is to both maximize assurance of data eradication and to minimize the chance of accidental inappropriate data deletion.
  • Certification of Data Eradication - Computing Devices Surplus Certification labels are provided by the Purchasing Department to affix to the device and signify that the device or electronic media has had its data eradicated. It is extremely important that the procedures for this are followed. See http://louisville.edu/purchasing/policies/purchasing-33.00.html for more information.

Physical Media Destruction

  • Physical destruction of electronic media is the preferred way to provide a high level of assurance that sensitive information has been eliminated if the electronic media is being disposed and not redeployed. Physical destruction is considered complete only if the media has been disposed of with a shredder or other equipment designed for destroying electronic media. "Casual destruction" (bending, cutting with scissors, breaking and similar activities) is not an adequate way to physically destroy electronic media.

    Note: If proper physical destruction tools are not available for media being disposed, properly performed total eradication of data, as described above, is acceptable.

 


PROCEDURES:

See related procedures at the Purchasing Department web site.

 


SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

 


REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

1.1 / January 29, 2013 / Content Update


This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]

Document Actions
Personal tools